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ABSTRACT 

Formal  characterizations  for  safety  properties  and  liveness  properties  are  given  in 
terms  of  the  structure  of  the  Buchi  automaton  that  specifies  the  property.  The  char* 
acterizations  permit  a  property  to  be  decomposed  into  a  safety  property  and  a  liveness 
property  whose  conjunction  is  the  origiral.  The  characterizations  also  give  insight 
into  required  to  prove  safety  and  Uveness  properties. 
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1.  Introdncnon  ,  / 

Liformally,  a  saf^^  property  stipulates  that  same  “bad  thing”  does  not  happen  during 
execution  of  a  program  and  a  Uveness  property  stipulates  that  some  “good  thing”  does  happen 
(eventually)  [Lamport  77].  languishing  between  safety  and  liveness  properties  has  merit 
because  proving  that  a  program  satisfies  a  safety  property  involves  an  invariance  argument 
[Lamport  &  Schneider  84]  while  proving  that  a  program  satisfies  a  liveness  property  involves 
a  well-foundedness  argument  [Manna  &  Pnueli-84p  Tnus,  Icnowing  whether  a  property  is 
safety  or  liveness  suffices  for  deciding  on  a  technique  to  prove  that  the  property  holds. 

The  relationship  between  safety  properties  and  invariance  arguments  and  between  live¬ 
ness  properties  and  well-foundedness  arguments  has— until  now — not  been  formalized  or 
proved.  Rather,  it  was  supported  by  practical  experience  in  reasoning  about  concurrent  and 
distributed  programs  in  light  of  the  informal  definitions  of  safety  and  liveness  given  above. 
This  paper  substantiates  that  experience  by  formalizing  safety  and  liveness  in  a  way  that  per¬ 
mits  the  relationship  between  safety  and  invariance  and  between  liveness  and  well- 
foundedness  to  be  demonstrated.  In  so  doing,  we  give  new  formal  characterizations  of  safety 
and  liveness  and  show  that  they  satisfy  the  formal  definitions  in  [Alpem  &  Schneider  85a]; 
we  also  give  a  tiew  constructive  proof  that  every  property  can  be  expressed  as  the  conjunction 
of  a  safety  and  a  liveness  property. 

We  proceed  as  follows.  In  section  2,  an  automata-tbeoretic  approach  for  specifying  pro¬ 
perties  is  described.  Section  3  contains  our  new  characterizations  of  safety  and  liveness.  Sec¬ 
tion  4  shows  that  every  property  can  be  expressed  as  the  conjunction  of  a  safety  property  and 
a  liveness  property.  The  relationship  between  safety  and  liveness  and  various  proof  tech¬ 
niques  is  discuMcd  in  section  5.  Section  6  discaaes  related  worit. 


2.  EUatorics  and  Properties 

An  execution  of  a  program  can  be  viewed  as  an  infinite  sequence  o  of  program  states 

<T  =  tQSi... 

which  we  call  a  history.  State  rg  is  an  initial  state  of  the  program,  and  each  following  state 
results  from  executing  a  single  atomic  action  in  the  preceding  state.  For  a  terminating  execu¬ 
tion,  an  infinite  sequence  is  obtained  by  repeating  the  final  state.  This  corresponds  to  the 
view  that  a  terminating  execution  is  the  «Tne  as  a  non-terminating  execution  in  which  after 
some  finite  dme— onoe  the  program  has  terminated— the  state  remains 

A  property  is  a  set  of  infinite  sequences  of  program  states.  For  an  infinite  sequence  or, 
we  write  to  denote  that  rr  is  in  property  P.  A  program  sat^fles  a  property  P  if  for  each 
of  its  histories  h,  hy-P. 


A  property  is  usually  spedfed  by  a  characteristic  predicate  on  sequences  rather  than  by 
enumeration.  Formtilas  of  temporal  logic  can  be  interpreted  as  predicates  on  infinite 
v»q^Tenee!t  of  States,  and  various  formulatians  of  temporal  logic  have  been  used  for  specifying 
properties  [Lamport  83]  [Lichtenstein  ct  aL  85]  [Manna  &.  Pnucli  81]  [Wolper  83].  However, 
for  our  purposes,  it  will  be  convenient  to  specify  properties  using  Buchi  automata — unite-state 
automata  that  accept  infinite  sequences  [Eilenberg  74].  Mechanical  procedures  exist  to 
translate  any  temporal  formula  into  a  corresponding  Buchi  automata  [Alpem  86]  [Wolper  84], 
so  using  Buchi  automata  does  not  constitute  a  restriction.  In  fact,  Buchi  automata  are  more 
expressive  than  most  temporal  logic  based  specification  languages — there  exist  properties  ±at 
can  be  specified  using  Buchi  automata  but  cannot  be  specified  in  (most)  temporal  logics 
[Wolper  83]. 

A  Buchi  automaton  accepts  those  sequences  of  program  states  that  are  in  the  property  it 
specifies.  Figure  2.1  is  an  example  of  a  Buchi  automaton  accepts  (i)  ail  infinite 

sequences  in  which  the  first  state  satisfies  a  predicate  ^Prt  and  (ii)  ail  infinite  sequences  in 
which  the  first  state  satisfies  Pre,  a  possibly  empty  sequence  of  states  follows  in  which  each 
satisfies  ^Done,  and  each  state  in  the  remaining  infinite  suffix  satisfies  Done  ^  Post.  Thus, 
specifics  TouU  Correctness  with  precondition  Pre,  postcondition  Post,  where  Done  holds  if 
and  only  if  the  program  has  terminated. 


Done  A  Post 


Pre  A  Done  a  Post 


Figure  2.1. 


Buchi  automaton  contains  four  autotnaton  states  labeled  q^,  qi,  qn,  and  ^3.  The  start  state 
is  denoted  by  an  are  with  no  origin  and  infinite-accepting  states  by  concentric  drdes.  An 
infinite  sequence  is  accepted  by  a  Buchi  automaton  if  and  only  if  it  causes  the  recognizer  to 
be  infinitely  often  in  some  infinite-accepting  stax.  In  ni,g,  is  the  start  state,  and  both  qr 
and  <73  are  infinite-acoepting  states. 

Arcs  between  automaton  states  are  labeled  by  program  state  predicates  called  transition 
predicates.  These  define  transitions  between  automaton  states  based  on  the  next  symbol  read 


from  the  input.  For  example,  the  arc  labeled  ^Pre  from  iJq  to  ^ 2  ^  ’'he  whenever 

ffiff  is  in  and  the  next  symbol  read  is  a  program  state  satisfying  ^Pre,  then  a  transition  to 
^2  is  made.  If  the  next  symbol  read  by  a  Buchi  automaton  satisfies  no  transition  predicate  on 
an  arc  emanating  from  the  current  automaton  state,  the  input  is  rejected;  in  this  case,  we  say 
the  transition  is  undefined  for  that  symboL  This  is  used  in  to  ensure jhat  an  infinite 
sequence  that  starts  with  a  state  satisfying  Pre  ends  in  an  infinite  sequence  of  states  that  each 
satisfy  Done Post— anoa  enters  ^3,  e*;ery  subsequent  program  state  read  must  satisfy 

Done  f^Post  at  an  undefined  transition  occurs. 

When  there  is  more  than  one  start  state  or  there  is  mcsre  than  one  transition  possible 
from  some  automaton  state  for  some  input  symbol,  the  automaton  is  non-deterministic;  other¬ 
wise  it  is  deterministic.  Thus,  is  deterministic  because  it  has  a  single  start  state  and  dis¬ 
joint  transition  predicates  label  the  arcs  that  emanate  from  each  automaton  state. 

Formally,  a  Buchi  automaton  m  for  a  property  of  a  program  n  is  a  five-tuple 
(5,  Q,  Co,  C.  /,  8),  where 

5  is  the  set  of  program  states  of  tr, 

(2  is  the  set  of  automaton  states  of  m, 

QqQQ  is  the  set  of  stan  states  of  m, 

Qir^Q  is  the  set  of  infinite-acoepcing  states  of  m, 

8  « (Q  x5)  -•  2^  is  the  transition  /unction  of  m. 

Transition  precficates  are  derived  from  8  a^i  follows.  Tjj,  the  transition  predicate  associated 
with  the  arc  from  automaton  state  qi  to  qj,  is  the  predicate  that  bolds  for  all  program  states  s 
such  that  qj  i  ^{qi^).  Thus,  Tij  is  false  if  tx)  symbol  can  cause  a  transition  from  qi  to  qj. 

In  order  to  formalize  when  m  accepts  a  sequence,  some  definitions  are  required.  For 
any  sequence  a  =  ...  , 

a(i]  s  Si 
cr(..ij  ■  — 

I<r|  a  the  length  of  o  (w  if  cr  is  infinite). 

Transition  function  8  can  be  extended  to  handle  finite  sequences  of  program  states  in  the 
usual  way: 


ri?}  kl=<^ 

\{q'\  q-  «8(^, 


0(0])  A  6 ifO<l<T|<a» 


A  run  of  for  an  infinite  sequence  cr  is  a  sequence  of  automaton  states  that  m  could  be  in 
while  reading  a.  Thus,  for  p  to  be  a  run  for  a,  p(0]  i  Qq,  and 
(Vl:  0<i<|o|;  p(i] «  8(p(<-1],(t(1-1])).  Let  r„(a)  be  the  set  of  runs  of  m  on  o.  (It  is  a  set 
hrrausr  m  might  be  non-deterministic.)  Define  lNF„(a)  to  be  the  set  of  autonuton  states 


that  appear  infinitely  ones  in  any  element  of  r;„(a).  Then,  a  is  accepted  by  m  if  and  only  if 

Any  set  of  finite  sequences  that  can  be  recognized  by  a  non-deterministic,  finite-state 
automaton  can  be  recognized  by  some  deterministic,  finite-state  automaton  [Hopcmft  &  UU- 
man  79].  Unfortunately,  Buchi  automata  do  not  enjoy  this  equivalence — there  are  sets  of 
infinite  sequences  that  can  be  recognized  by  non-deterministic  Buchi  automata  but  by  no 
deterministic  one  [Hlenberg  74],  However,  for  our  purposes  it  suffices  to  restria  attention  m 
properties  specified  by  deterministic  Buchi  automata  because  [Alpem  &  Schneider  85b]  proves 
the  following  for  a  program  ir  that  satisfies  a  property  iVD  by  a  non-deterministic 

Buchi  automaton  if  ir  has  a  finite  state  space  then  there  exists  a  property  D  such  that 

D^JVD ,  D  is  specified  by  a  deterministic  Buchi  automaton  and  ir  satisfies  D. 

Examples  of  Properties 

A  Buchi  automaton  ntpg  that  specifies  Partial  Correctness  is  shown  in  Figure  2.2.  As  in 
m^g  (Figure  2.1),  Pre  is  a  transition  predicate  that  holds  for  states  satisfying  the  given  precon¬ 
dition,  Done  holds  for  states  in  which  the  program  has  terminated,  and  Post  holds  for  states 
satisfying  the  given  postcondition.  Thus,  mpg  accepts  all  sequences  in  which  the  first  state 
satisfies  ^Pre,  as  well  as  all  sequences  in  which  the  first  state  satisfies  Pre  and  every  subse¬ 
quent  state  satisfies  Done  =>  Post. 


A  Buchi  automaton  for  Mutual  Exclusion  of  two  pmtyn.ses  is  given  in  Fguie  2J. 

We  aMiime  transition  predicate  CS^  (jCS^)  holds  for  any  state  in  which  process  (4i)  is  exe¬ 
cuting  in  its  critical  section. 


i 


Figure  2J.  »»w«x 


Starvation  Freedom  for  a  mutual  ezduaion  protocol  is  specified  by  nijurv  of  Figure  2.4. 
A  process  becomes  enabled  when  its  state  satisfies  the  predicate  Request^,  which  diaiacter* 
ires  the  state  of  whenever  it  attempts  to  enter  its  criticai  section,  and  makes  progress 
when  its  state  satisfies  the  predicate  S^rved^,  which  holds  whenever  enters  its  critical  sec¬ 
tion.  Notice  that  expioiti  the  fact  that  in  a  mutual  exclusion  protocol  will  make  but  a 
single  request  for  each  entry  into  the  critical  section. 

-Served  ^ 


Served^ 
Figure  2.4. 


3.  Recogaiztn  for  Safety  and  Livcncss 


Just  as  properties  can  be  viewed  in  terms  of  proachbed  “bad  things”  and  prescribed 
“pood  things”,  so  can  Buchi  automata.  When  a  “bad  thing”  (“good  thing”)  of  the  property 
occurs,  we  would  expect  a  “bad  thing”  thing”)  to  happen  in  the  recogniaer  for  that 

property.  The  “bad  thing”  for  a  Buchi  automaton  is  making  an  undefined  transicion  because 
if  such  a  “bad  thing”  happens  (in  every  run)  while  reading  an  input,  the  Buchi  Automaton 
will  not  accept  that  input.  The  “good  thing”  for  a  Buchi  automaton  is  entering  an  infinite- 
accepting  state,  because  we  require  this  "good  thing”  to  happen  infimtely  often  for  an  input 
to  be  accepted.  Having  isolated  these  “bad  things”  and  “good  things”,  it  is  powble  to  give 
an  automata-cheoretic  characterizadoo  of  safety  and  livenesa. 


RccognJziag  Safety 

Define  a  sqfety  recognizer  to  be  a  determinisde  Buchi  automaton  in  which 
SR:  Every  cycle  contains  an  infinite-accepting  sate. 

In  a  safety  recognizer,  “good  things”  are  inevitable,  unksa  they  become  impossible  due  to  an 


A 


undefined  transition,  which  is  a  “bad  thing”.  Both  (Figure  2.2)  and  of  (Figure 
2.3)  are  examples  of  safety  recognizers. 

There  is  a  natural  correspondence  between  safety  recognizers  and  safety  properties.  To 
prove  this,  we  require  the  following  formal  definition  of  a  safety  property  [Alpern  & 
Schneider  S5a].  Consider  a  property  P  that  stipulates  that  some  “bad  thing”  does  not  happen. 
If  a  “bad  thing”  happens  in  an  infinite  sequence  <7,  then  it  must  do  so  after  some  finite  prefix 
and  must  be  inemediable.  Thus,  if  ai^P ,  there  is  some  prefix  of  a  (that  includes  the  “bad 
thing”)  for  which  no  extension  to  an  infinite  sequence  will  satisfy  P.  Taking  the  contraposi* 
tive  of  this,  we  get  a  formal  definition  of  a  safety  property  P: 

Safety:  (Vo:  o«5“:  aY-P  o  (ii:  0:S/:  (30:  0«5“:  o{..i] PH/"))).  (3.1) 

where  J  is  tlxe  set  of  program  states,  5*  the  set  of  finite  sequences  of  states,  the  set  of 
infinite  sequences  of  states,  and  juxtaposition  is  used  to  denote  catenation  of  sequences. 

Now  we  can  prove  tiiat  safety  recognizers  and  safety  properties  specified  by  dctcnninistic 
Buchi  automata  are  equivalent. 

Theorem  1:  Safety  recognizers  specify  only  safety  properties. 

Proof.  Assume  is  a  safety  recognizer  for  a  property  Serfe.  We  mmt  show  that  Sc^e 
satisfies  (3.1). 

Let  o  be  an  infinite  sequence  not  accepted  by  Thus,  o)kSqfe,  and  according  to 

(3.1)  we  must  show 

(3i:  Osi;  (V0:  0  6  o[.,/]0|fcJ<Vk)).  (3.2) 

Since  o  is  not  accepted  by  because  is  a  safety  recognizer  it  must  attempt  an  unde¬ 
fined  transition  upon  reading  some  finite  prefix  Qr[../].  Consequently  rejecs  any 

sequence  beginning  with  and 

(V0: 

Showing  that  {3.2)s>(rj^irf£  is  trivial,  so  S<^e  satisfies  (3.1)  and  we  conclude  that 
is  a  safety  property.  0 

Theorem  2;  Any  safety  property  specified  by  a  deterministic  Buchi  automaton  can  be 
specified  by  a  safety  recognizer. 


Proof.  Let  P  be  a  safety  property  specified  by  a  deterministic  Buchi  automaton  mp  with  ini¬ 
tial  state  <7q.  Construct  with  transition  function  ^st^t(p)  from  mp  as  follows. 


(1)  Delete  all  states  from  which  no  infinite-accepting  state  is  reachable. 

(2)  Make  all  remaining  states  infinite-accepting. 

The  resulting  automaton  satisfies  SR,  so  it  is  a  safety  recognizer.  Let  Safe{P)  be  the  property 
spreififfti  by 

Notice  that  PQScrfe(P).  Thia  is  because  the  states  deleted  in  step  (1)  erf  the  construction 
erf  cannot  be  reached  in  an  accepting  run  of  mp  and  step  (2)  in  the  construction  can¬ 

not  cause  a  sequence  accepted  by  np  to  be  rejected  by  m^g^py. 

It  remains  to  show  that  Jqfe(P)CP-  Suppose  <jh5qfe(P);  we  must  show  a^P.  For  any 
arbitrary  /,  let  ^  =  ^s4t<P)(.'1o*  By  construction  of  there  must  exist  a  sequence 

of  program  states  0o  and  an  infinite-accepting  state  of  mp  such  that  ir^rxP'i^J’  ^0)  <?i- 

We  can  now  construct  a  series  of  finite  sequences  3^,  32,  ...,  where  each  3;  causes  mp  to 
enter  an  infinite-accepting  state  when  started  in  the  infinite-accepting  state  that  it  is  left  in  by 
3/-;.  This  is  possible  due  to  step  (1)  in  the  construction  of  m^^^py,  which  ensures  that  an 
infinite-acoepting  state  is  reachable  from  every  automaton  state.  Define  3  ^  3o0i-"*  Cleariy, 
(r(..i]3hP  because  (r[..i]3  causes  mp  to  enter  an  infinite-accepting  state  infinitely  often.  Siixz 
P  is  a  safety  property,  we  conclude  ohP  due  to  p.l).  Q 

Recognizing  Lirenesa 

Define  a  liveneu  recognizer  to  be  a  deterministic  Buchi  automaton  in  which 
LRl:  All  states  have  transitiona  defined  for  every  program  state. 

LR2:  There  is  a  path  from  every  automaton  state  to  an  infinite-accepting  state. 

LRl  ensures  that  “bad  things”  are  not  possible  for  a  liveness  recogruzer,  LR2  ensures  that  a 
“good  thing”  is  always  possible.  Buchi  automaton  m,^  of  Figure  2.4  is  an  example  of  a 
liveness  recognizer. 

There  is  a  natural  correspondence  between  liveness  recognizers  and  liveuess  properties. 
To  prove  this,  we  require  the  following  formal  definition  of  livenesa  properaea  [Alpem  Sl 
Schneider  SSa].  The  thing  to  observe  about  a  liveness  property  is  that  no  pamal  ezccuhon  is 
irremediable  ince  if  some  partial  execution  were  inr.medtabic.  then  it  would  he  a  “bad 
thing”.  We  take  this  to  be  the  defining  characteristic  of  liveness.  Thus,  P  is  a  liveneas  pro¬ 
perty  if  and  only  if 

Livenesa;  (Va;  aiS*:  (33:  3«5“:  a0hP))  (3J) 

Now  we  can  prove  that  liveness  recognizers  and  liveness  properties  specified  by  deter¬ 
ministic  Buchi  automata  are  equivalent. 


Theorem  3:  Liveaeas  rcoognizen  specify  only  livencss  properties. 

Proof.  Assume  is  a  livencss  reoogouer  for  a  property  Live.  We  must  show  that  Live 
satisfies  (3  J). 

Let  (7  be  a  finite  To  show  that  (3.3)  holds,  we  must  show  j^t  there  is  an 

infinite  sequence  0  such  that  a^\^Live.  Due  to  LRl,  cannot  attempt  an  un defined  tran¬ 
sition  upon  reading  <r.  Thus,  a  leaves  in  some  automaton  state  q.  Due  to  LR2,  there  is 
a  path  of  automaton  :;tates  from  q  to  some  infinite-accepting  state  q' .  Let  0q  be  a  finite  input 
that  ralces  from  q  xa  q' .  Again,  by  LR2,  there  must  be  a  path  from  to  an  infinite- 
accepting  state  q” .  Let  0i  be  a  finite  input  that  takes  from  q’  to  q" .  This  argument 
can  be  repeated,  resulting  in  an  infinite  sequence  0  *  0o0i....  Moreover,  (70  causes  mi^ 
to  be  in  some  infinite-accepting  state  infinitely  often.  Thus,  cr0  is  accepted  by  and  so 

cr0hf-ive  and  (3.3)  holds.  □ 

Theorem  4:  Any  liveness  property  specified  by  a  deterministic  Buchi  automaton  an  be 

spexdficd  by  a  Uveness  recognizer. 

Proof.  Let  P  be  a  liveness  property  specified  by  a  deterministic  Buchi  automaton  mp  with 
transition  function  Sp  and  inidai  state  qQ.  Construct  mu^^py,  with  transition  funcnioa  iuvnP) 
from  mp  as  follows. 

(1)  Delete  states  from  which  iro  infinite-accepting  state  is  reachable. 

(2)  Add  a  new  infinite-accepting  state  q,  that  has  a  transition  to  itself  on  all  input  sym- 


(3)  For  every  state  q  that  has  an  undefined  transition  on  any  input  tymbol  x,  add  a 
transition  from  q  xo  q,  under  x. 

The  resulting  automaton  satisfies  LRl  and  LR2,  hence  it  is  a  liveness  recognizer.  Let  Ltve{P) 
be  the  property  specified  by  m^y^py 

Notioe  that  Px^LiveiP).  This  is  because  the  states  deleted  in  step  (1)  of  the  construction 
of  (OLiveiPi  cannot  be  reached  in  an  accepting  run  of  mp  and  steps  (2)  and  (3)  in  the  construc- 
cion  cannot  cause  a  sequence  accepted  by  /itp  to  be  rejected  by  m^y^pY 

It  remains  to  show  that  Live{P)^ .  Suppose  a'^Live{P)  and,  by  way  of  ooncradictian, 
<j'^P .  Since  a>^P ,  we  conclude  that  a,  appears  infinitely  often  in  the  run  of  (nuv«<p) 

Let  i  be  the  smallest  integer  such  that  ^uvKP){qo.  ^  Since  <7)fcP,  due  to  the  con¬ 

struction  of  mljyf^pY  ^p(qQ,  <7(--iD  ^  undefined  or  there  is  no  path  in  mp  from  ip(qo,  of..!]) 
to  an  infinite-accepting  state.  In  either  case,  mp  will  reject  infinite  sequence  a[..i]0  for  any 
0  ( 5*^.  Thus,  P  does  not  satisfy  (3  J).  This  contradicts  the  assumption  that  P  is  a  liveness 


property.  D 

4.  Partitioiiing  into  Safety  and  Lirencsa 

Given  a  deterministic  Buchi  automaton,  it  is  not  difficult  to  construct  a  safety  recognizer 
and  a  liveness  recognizer  that  specify  properties  whose  intersection  is  the  anginal  property. 
This  shows  that  every  property  that  is  specified  by  a  deterministic  Buchi  automaton  is 
equivalent  to  the  conjunction  of  a  safety  property  and  a  liverscss  property  that  can  each  be 
specified  by  deterministic  Buchi  automata. 

Theorem  5:  Given  a  property  P  specified  by  a  deterministic  Buchi  automaton  mp,  there 
arc  properties  Psaft<P)  recognizers  and  such  that 

(i)  '"s^e(P)  ^  »  safety  recogiuzer, 

(ii)  “  *  liveness  recognizer,  and 

(iii)  P  =  Si^<e(P)rLivg(P). 

Proof.  OTnstruct  safety  recognizer  ri»St^e<P)  as  in  the  proof  of  Theorem  2.  Gmstruct  liveness 
recognizer  fftuvtiP)  as  in  the  proof  of  Theorem  4.  It  remains  to  show  that 
P  *  J<^e(P)rLiv<(P). 

Suppose  an  infinite  sequence  or  is  accepted  by  mp.  To  show  that  PQSerfe(P)<'Live(P), 
we  must  show  chat  a  is  accepted  by  both  m^g^p^  and  mi^pY  Step  (2)  in  the  construction  at 
'n^^g^p,^  and  steps  (2)  and  (3)  in  the  oonstructian  at  muvtiP)  cannot  cause  a  sequence  accepted 
by  mp  to  be  rejected  by  either  recognizer.  The  states  deleted  in  step  (1)  of  both  constructions 
cannot  be  reached  in  an  accepting  run  at  mp.  So,  deleting  them  will  trot  cause  a  sequence 
accepted  by  mp  to  be  rejected  by  either  >»«5<^e(P)  or  m^iv^P^.  Thus,  both  m^g^p^i  and  fnuvtiP) 
accept  (j. 

Now  suppose  an  infinite  sequence  a  is  not  accepted  by  mp.  We  must  show  that  either 
'^Sc^oP)  ^  "^Uve^P)  rejects  a.  Since  mp  rejects  a,  either  (i)  it  makes  an  undefined  transition 
on  cr,  or  (ii)  mp  does  not  enter  an  infinite-accepting  state  after  some  finite  prefix  of  cr.  In 
case  (i),  itsafeiP)  accept  a.  In  case  (ii),  on  reading  a,  mp  loops  in  non-infinite- 

accepting  states.  Either  all  of  these  aan>infinite-acoepting  states  were  deleted  from  m^g^p^  in 
step  (1)  of  its  construction,  in  which  case  a  wUI  be  rejected  by  m^g^p^,  or  else  they  were  not 
deleted  in  either  m^^g(p^  or  m^yg^p^  (since  step  (1)  is  the  same  for  both)  and  therefore  m^^^p^ 
will  reject  <t.  Q 

The  construction  of  Theorem  5  is  now  illustrated  for  m^c  Figure  2.1  which  spedfies 
Total  Gjrrectness.  The  safety  recognizer  is: 


'-J)on£ 


Pre^-J^one'  VV  JJ  Done Post 


Pre  A  Done  a  Pott 


I  Done  Impost 


TIk  Uvcneaa  recognizer  is: 


Pre  ^  Dane  a  -<Pas 


\Done  a  -<Post'''^one  v  -^Pott 


^Done 


Pre  A  -^Done 


Done  A  Pott 


)  Done  A  ^ojx 


Pre  Done  Pott 


^Uvtitc) 


However,  ^n^^^,c,  can  be  simplified  by  combining  the  three  infinite-accepting  states,  resulting 
in  the  equivalent  liveness  recognizer: 


-iDoiu  \jll y 


6 

IfJ/ 


vDoik 

«£jv*ffc;  Simplified 

5.  Proof  Obligadons  for  Safety  and  Lireness 

One  can  fhink  of  a  deterministic  Buchi  automaton  m  that  spedfies  a  property  P  as 
simulating — in  an  abstract  way — any  program  ir  that  satisfies  P .  This  forma  the  basis  for  an 
approach  to  program  verification  described  in  [Alpem  &  .Schneider  SSb].  In  that  approach,  a 
program  rt  is  specified  in  tenns  of 

•  its  set  of  atomic  actians  A.,.,  and 

•  a  predicate  Init^  that  describes  its  passible  initial  states. 

To  prove  that  every  history  erf  tr  is  in  P,  i.c.  ir  satisfies  P,  a  set  of  asseruora,  called 
correspondence  invariants,  and  a  set  of  variant  functions  are  constructed  and  shown  to  satisfy 
oertain  proof  obligations.  There  is  one  correspondence  invariant  Q  for  each  automaton  state 
and  one  variant  function  for  each  reject  knot  k,  where  a  reject  knot  is  a  maximal 
strongly  connected  subset  of  automaton  states  in  m  containing  no  infinite-accepting  states. 

The  first  two  proof  obligations  ensure  that  Q  bolds  on  a  program  state  s  if  there  exists  a 
history  of  ir  containing  s  and  m  enters  q/  upon  reading  s. 

Correspondence  Basis:  (Vy:  (/nit,  a  Tcj)  Cj).  (5.1) 

Correspondence  Indoctioa:  For  all  a:  a  (  A.,: 

For  ail  /: 

{CJ  «  -(^y  =»  Cj)}  (5-2) 


The  next  two  obligations  ensure  that  m  never  attempts  an  undefined  transition  when  reading 
a  history  of  st. 

Transitioii  Basis:  /nit.  =>  v  Tni  te  ‘i\ 


(5.4) 


Transition  Induction:  For  all  a:  a  « A^* 

For  all  i:  <?,• « Q: 

{C,}a{  V  Ty} 

The  final  two  obligatiana  ensure  that  m  does  not  loop  forever  in  non-infinite  accepting  states 
when  reading  a  history  of  ir. 

Knot  Exit:  For  each  reject  knot  ic:  (Vi:  (v«(?/)“0)  »•  -'€/)  (5-5) 

Knot  Variance:  For  each  reject  knot  k: 

For  all  a:  a  «  A.^* 

For  all  €  k:  (5-6) 

{C,A0<v,(^,)  =  V}a{  A  ((r,jACj)^v/,q,)<V)} 

Soundness  and  relative  completeness  of  the  approach  is  proved  in  [Alpem  &  Schneider  85b]. 

Returning  to  safety  recognizers,  observe  that  due  to  SR  a  safety  rccogrizer  has  no  reject 
knots.  Thus,  (5.5)  and  (5.6)  are  trivially  satisfied  by  a  sa&ty  recognizer.  This  means  that 
proving  chat  a  program  satisfies  a  safety  property  never  requires  a  variant  function  (or  well- 
foundedness  argument).  The  remaining  proof  obligations  for  a  safety  recognizer  constitute  an 
invaiianoe  argument.  We,  therefore,  conclude  that  safety  properties  are  proved  using  only 
invariance  arguments. 

Returning  to  liveness  recognizers,  observe  that,  due  to  LRl,  undefined  transitions  are 
not  possible,  so  (5J)  and  (5.4)  are  trivially  satisfied  when  trying  to  prove  that  a  program  ir 
satisfies  a  property  spedfied  by  a  liveness  recognizer.  A  liveness  recognizer  can  have  reject 
knots,  so  (5.5)  and  (5.6)  must  be  proved — a  variant  function  of  wdl-foundedness  argument  is 
therefore  required  in  proving  a  liveness  property.  In  additioo,  an  invariance  argument  is 
required  because  (5.1)  and  (5.2)  must  be  satisfied. 


6.  Related  Work 

The  first  formal  definition  of  safety  was  given  in  [Lamport  85].  While  that  definition 
correctly  captures  the  intuition  for  an  important  class  of  safety  properties — rhn<ie  invariant 
under  stuttering — it  is  inadequate  for  safety  properties  that  are  not  invariant  under  stuttering. 
The  formal  definition  of  safety  used  in  this  paper,  which  was  first  proposed  in  [Alpem  &, 
Schneider  85a],  is  independent  erf  stuttering;  in  [Alpem  et  aL  85]  it  is  shown  equivalent  to 
Lamport's  for  properties  that  are  invariant  under  srjttering.  The  definition  of  liveness  in 
this  paper  also  appeared  in  [Alpem  &  Sdmeider  85a].  In  addition,  in  [Alpem  &  .Vhnfiricr 
85a],  we  proved  chat  every  property  can  be  expressed  as  the  conjunction  of  a  safety  property 
and  a  liveness  property.  That  proof  is  based  on  a  topology  in  which  safety  properties 
correspond  to  the  dosed  sets  and  liveness  properties  to  the  dense  sets.  The  automata- 


dieoretic  proof  of  this  paper  more  closely  the  mfonsal  denmoons  of  safety  aad  live- 

ncss  in  terms  of  “bad  things”  and  “good  things”.' 

In  [Sistla  85],  an  attempt  is  made  to  give  syntactic  characterizations  for  safety  and  live¬ 
ness  properties  that  are  expressed  in  temporal  logic.  Deductive  systems  are  given  for  safety 
and  liveness  formulas  in  a  temporal  logic  with  “eventually”,  but  without  “next”,  or  “until”. 
However,  deductive  systems  for  full  (propositional)  temporal  logic  are  given  for  a  subset  of 
the  safety  properties,  called  strong  safety  properties,  and  for  a  subset  of  the  liveness  proper- 
ties,  called  absolute  liveness  ptoperties.  Finally,  [Sistla  85]  proves  that  the  states  of  a  Buchi 
automaton  for  a  safety  property  can  be  partitioned  into  “good”  and  "bad”  states,  where 
“bad”  states  are  never  entered  in  an  accepting  run.  This  tesult  is  equivalent  to  Theorem  2  of 
the  current  paper. 

Another  syntactic  characterization  of  safety  and  liveness  properties  appears  in  [Lichten¬ 
stein  et  al.  85].  Tt^  definition  of  safety  given  there  coincides  with  ours;  the  definition  of  live¬ 
ness  classifies  some  properties  as  liveness  that  our  definition  does  not.  We  do  not  classify 
p  until  q  as  liveness  because  the  occurrence  of  before  q  constitutes  a  “bad  thing”  and 
therefore  p  until  q  has  elements  of  safety,  [Lichtenstein  et  aL  85]  consider  it  liveness.  The 
definitions  in  [Lichtenstein  et  aL  85]  are  based  on  existing  temporal  logic  inference  rules 
(proof  obligations)  whereas  our  definitions  are  independent  of  proof  ttf  hniqufn.  This  nmlM!* 
our  results  about  the  relationship  between  types  at  properties  and  proof  techniques  all  the 
more  interesting.  Also,  in  contrast  to  the  definitions  in  [Lichtenstein  et  aL  85],  our  character¬ 
izations  of  safety  and  liveness  are  independent  of  the  notation  used  to  express  the  properties 
and  apply  to  a  larger  class  of  properties. 
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